Description

In SuiteCRM v7.12.4, affecting Users Module, any user with the User Type as Regular User could modify other users profiles via the update profile section. The prerequisite of this attack is by knowing the user record (ID) and username (User Name) respectively. The user records (ID) can be obtained in the employee section while the username (User Name) could be obtained via exporting employee records bug. The impact could lead to account take over due to the ability to modify related data in the update profile section including email and mobile numbers.

Proof of Concept

Affected endpoint:

1 POST http://{HOST}/index.php, parameter record & user_name

2 POST http://{HOST}/index.php

~

Steps to reproduce:

1 Login as a user with regular user role.

2 Go to profile section > Intercept request with burp suite > Click save button

3 Change record parameter to victim record such as 1 for the default admin

4 Change user_name parameter to admin for default admin.

5 Modify other information such as email or phone number if any and click forward request in burp.

6 Observe the changes in the admin profile.

~

Request file: Modify other user profile via the update profile section., pwd:7Ty6DfTmuc4

Request file: Downgrade Role from Admin to Regular user , pwd:7Ty6DfTmuc4

Impact

This vulnerability is capable of modifying someone else’s account, by providing its unique identifier.